Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ba760574 authored by Dmitry Tarnyagin's avatar Dmitry Tarnyagin Committed by David S. Miller
Browse files

caif: Bugfix double kfree_skb upon xmit failure 



SKB is freed twice upon send error. The Network stack consumes SKB even
when it returns error code.

Signed-off-by: default avatarSjur Brændeland <sjur.brandeland@stericsson.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent b01377a4

net/caif/caif_socket.c

+6 −4
Original line number Diff line number Diff line
@@ -539,8 +539,10 @@ static int transmit_skb(struct sk_buff *skb, struct caifsock *cf_sk, 
	pkt = cfpkt_fromnative(CAIF_DIR_OUT, skb);

	memset(skb->cb, 0, sizeof(struct caif_payload_info));



	if (cf_sk->layer.dn == NULL)

	if (cf_sk->layer.dn == NULL) {

		kfree_skb(skb);

		return -EINVAL;

	}



	return cf_sk->layer.dn->transmit(cf_sk->layer.dn, pkt);

}
@@ -683,10 +685,10 @@ static int caif_stream_sendmsg(struct kiocb *kiocb, struct socket *sock, 
		}

		err = transmit_skb(skb, cf_sk,

				msg->msg_flags&MSG_DONTWAIT, timeo);

		if (err < 0) {

			kfree_skb(skb);

		if (err < 0)

			/* skb is already freed */

			goto pipe_err;

		}



		sent += size;

	}